Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Upgrade Jackson to 2.9.4 in 1.2.* to address a CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485 According to the CVE, maliciously crafted JSON input can allow a remote code execution, if it's passed directly to the `readValue` method of `ÒbjectMapper`. The blacklist of deserialized types is ignored if the Spring libraries are available in the classpath. Dropwizard doesn't use Spring, but some end users use Spring along with Dropwizard, so we should give them a simple way to protect their applications.
- Loading branch information